CVE-2008-1368

Name of the Vulnerable Software and Affected Versions Microsoft Internet Explorer versions 5 and 6

Description A CRLF injection issue allows remote attackers to execute arbitrary FTP commands via an ftp:// URL that contains a URL-encoded CRLF (%0D%0A) before the FTP command. This causes the commands to be inserted into an authenticated FTP connection established earlier in the same browser session. For example, a DELE command can be used to demonstrate this issue. A trailing "//" can force the browser to try to reuse an existing authenticated connection.

Recommendations For Microsoft Internet Explorer version 5, avoid using ftp:// URLs that contain URL-encoded CRLF (%0D%0A) until a fix is available. For Microsoft Internet Explorer version 6, consider disabling the reuse of existing authenticated FTP connections as a temporary workaround until a patch is available.